WhatsApp vulnerability allowed spyware to be installed on smartphones

Facebook-owned messaging giant WhatsApp has confirmed a vulnerability that allowed hackers to install spyware on smartphones.

While WhatsApp began life as a simple messaging app, it has expanded into all manner of communications — this includes voice calls, which it has offered since early 2015. According to a report in the Financial Times, malicious code developed by Israeli cyber intelligence firm NSO could be delivered to users’ handsets using an exploit in the voice-call feature on WhatsApp. The code could be deployed irrespective of whether the recipient answered the call.

Facebook issued this update late last night with more details on the vulnerability, saying: “A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.”

Tel Aviv-based NSO has long been mired in controversy over its development of mobile surveillance technology, which it says it sells to government agencies to “prevent and investigate terrorism and crime to save thousands of lives around the globe.”

Several reports over the past few years have indicated that the technology has been used to target journalists and human rights activists. Back in 2016, Apple issued an iOS update to patch a security flaw after NSO’s technology was apparently used to target the iPhone of human rights activist Ahmed Mansoor.

NSO’s core product, Pegasus, is essentially spyware that can scrape email and text messages, track calls, access a device’s location, and activate the phone’s microphone and camera. It’s worth noting here that although WhatsApp was used in this instance to distribute Pegasus, WhatsApp messages — which are encrypted — are not thought to have been impacted.

Timing

A WhatsApp spokesperson confirmed that it found the vulnerability in early May, and started issuing a fix to its infrastructure late last week. Though that back-end fix alone should have patched the vulnerability, the company is still recommending that users update WhatsApp to the following latest versions:

WhatsApp for Android: v2.19.134

WhatsApp Business for Android: v2.19.44

WhatsApp for iOS: v2.19.51

WhatsApp Business for iOS: v2.19.51

WhatsApp for Windows Phone: v2.18.348

WhatsApp for Tizen: v2.18.15.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesperson said. “We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”

The timing of this news is notable, as it comes as NSO faces legal wrangles in Israel over its sale of surveillance technology to oversees governments that may be abusing the technology. Amnesty International and New York University (NYU) are filing a petition today at the District Court of Tel Aviv, in support of existing legal action that is asking the ministry of defence (MoD) to revoke NSO’s export licence.

“The Israeli MoD has ignored mounting evidence linking NSO Group to attacks on human rights defenders, which is why we are supporting this case,” noted Danna Ingleton, deputy director of Amnesty Tech. “NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.”

According to the FT, a U.K-based human rights lawyer was targeted as recently as Sunday using this WhatsApp exploit — the lawyer has reportedly helped journalists and other activists sue NSO in Israel. It appears that the security measures WhatsApp introduced last week may have prevented the attack from succeeding.

A WhatsApp spokesperson confirmed that it believed a number of individuals had been targeted in this way, and that it has briefed a number of human rights organizations on the matter, and also informed U.S. law enforcement.

In a statement issued to the FT, NSO denied having any knowledge of the recent targets of the WhatsApp exploit.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” it said. “NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”